Try PubSub+

How to test TLS connection and server certificate

uherbstuherbst Member, Employee Posts: 44 Solace Employee

If you use TLS to secure your connections (and you should use TLS as often as possible), you sometime have issues connecting to your TLS ports.
Here, I will describe a way to debug that.

Try to connect to a port

You're not sure, if your service / port is enabled or (most probably) if all your firewall rules are in place ?
From the client, try to connect to the server port.
Often telnet is recommended. I don't recommend that, because the handling of telnet is a little bit complicated, especially quitting telnet after connecting. I recommend ncfor that:

$ nc -vz 10.71.1.8 8883
Connection to 10.71.1.8 8883 port [tcp/*] succeeded!

Explanation:
-v: Be verbose, output, if connected
-z: Just try to connect and stop, don't send any data

Check TLS server certificate

To see details of the server certificate, use openssl:

[[email protected] ~] $ openssl s_client -connect mr16jp1pl7tfu7.messaging.solace.cloud:55443
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA 2018
verify return:1
depth=0 C = CA, ST = Ontario, L = Kanata, O = Solace Corporation, CN = *.messaging.solace.cloud
verify return:1
---
Certificate chain
 0 s:/C=CA/ST=Ontario/L=Kanata/O=Solace Corporation/CN=*.messaging.solace.cloud
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGpzCCBY+gAwIBAgIQBpfhPEvol9Rx6KExmHCJ2TANBgkqhkiG9w0BAQsFADBc
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMRswGQYDVQQDExJUaGF3dGUgUlNBIENBIDIwMTgwHhcN
MTkwOTE5MDAwMDAwWhcNMjEwOTE4MTIwMDAwWjBwMQswCQYDVQQGEwJDQTEQMA4G
A1UECBMHT250YXJpbzEPMA0GA1UEBxMGS2FuYXRhMRswGQYDVQQKExJTb2xhY2Ug
...
DKszydaiybTA73m8w6YabN2BrpqvkaxA8zrbjeJ30cvgPM0ZzA2JRYnPvjxHQLyd
uyQBGQcGAr2U0rjbVixFyFYs2dlXfbAHf7A6
-----END CERTIFICATE-----
subject=/C=CA/ST=Ontario/L=Kanata/O=Solace Corporation/CN=*.messaging.solace.cloud
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3392 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: 59FE52516A3EA4A63FAA1EAB8045EE8A0F5813D6F9D83E6A02931BFFEFCA5C382D2C3670655169B097F104F9D8F75577
    Start Time: 1607409440
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

What can we see here:
1. Common name of your server:
subject=/C=CA/ST=Ontario/L=Kanata/O=Solace Corporation/CN=*.messaging.solace.cloud
2. certificate chain for your certificate:

Certificate chain
 0 s:/C=CA/ST=Ontario/L=Kanata/O=Solace Corporation/CN=*.messaging.solace.cloud
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

With this information, you know, that you need the certificates for DigiCert Global Root CA and Thawte RSA CA 2018 to validate your server certificate

Tagged:

Comments

Sign In or Register to comment.